Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I am not seeing the risk scores modified. the alert_actions.conf looks correct and have tried different objects with no luck. We have notables with risk modification running and those are working. Just not from the search pipeline.

People who like this

The example in the developer docs could perhaps be clearer. The first half of the example search is creating a dummy risk object called "mysystem". The second half is what you would use in your own environment, with the first half of the search being something specific that narrows down the search results to the object that you want to adjust the risk score for. Is that what you're doing already?